Phishing Texts or SMSs

SMS Phishing Fraud Defence

Knowing how to block phishing texts and spam emails is essential for personal information security, as both are as seemingly inevitable as the tides. Coming to us unbidden and most unwelcomed, the purpose of these communications is a frequent reminder as to the value of our information, and the lengths to which criminals will go to get their hands on our sensitive information

As with phishing emails, most phishing texts are untargeted attacks, sent out en masse to thousands, if not millions of would be victims in the hopes that a tiny minority will fall for the trap. These messages are not sent from other phones, but from computers and so cost attackers next to nothing.

Though this form of unsolicited communication is illegal in many parts of the world (certainly under GDPR), there are many things you as the user can do to better understand and avoid phishing texts and other modes of phishing.

Phishing and Smishing Attacks

You’re likely familiar with the term ‘phishing’, a form of attack with hopes to ‘hook’ you into handing over confidential information or funds. Not specific to a channel or medium, phishing is a form of fraud most associated with email.

Smishing on the other hand is specific and refers to phishing attacks that exploits SMS (short message service) texts in order to extract sensitive or valuable information from targets.

Phishing Methods

Traditional phishing attacks employ several techniques to manipulate recipients. This can include, using look-a-like addresses that mimic official or trusted senders, malicious attachments such as malware or ransomware, implored urgency in the hopes of flustering readers and malicious links which are often obfuscated.

Some of these same methods can be used in Smishing attacks, especially malicious links which can direct victims to fraudulent websites designed to pocket login credentials and any other sensitive data.

The more sophisticated style of attack can even spoof phone numbers or the senders name (‘Your Bank’, for example). Caller ID spoofing is an especially pernicious problem as it can call into question the origins of any message.

Considering the extent of the damage and cost that is incurred as a result of successful phishing attacks, to some users this may sound all a little daunting, luckily there are plenty of simple steps that you can take to help protect yourself against all forms of phishing and ensure a broader information security defence.

Inspecting Details

As with all communications, recipients should always be wary of a message which is directing you to take an action, follow any link or hand over any information. By taking the time to inspect the message for spelling or grammatical mistakes, you may be saving yourself a lot of bother.

Though trustworthy contacts are not infallible when it comes to spelling or grammar, it’s unlikely that businesses will be sending out unchecked messages. What’s more, scammers often purposefully misspell certain words to bypass filters and firewalls.

Likewise, by thoroughly inspecting the address or number from which a message comes, is worth the few extra moments. Just like an email address, entering the sender’s number into a search engine will usually give you a good indication whether the sender is genuine or not.

Following Links

One very basic lesson that can be applied to all forms of phishing, is avoiding following any links. In emails and texts alike, the actual address of a link may be purposefully disguised or hidden to make the link appear more trustworthy. Prior to clicking any links, the address should be inspected.

This can be done on most computers by hovering over the link without clicking, and on most modern smartphones the same can be achieved by holding down over the link rather than clicking. If the domain to which you are being directed does not match up or seem correct to you, head to the organisation’s website directly and find the relevant page yourself.

By following these links blindly, you can open yourself up to all kinds of issues and malicious downloads or apps being installed without your knowledge. Though the temptation to click a link can be appealing, you are invariably better off verifying through other means.

Do Not Respond

By responding to a phishing or Smishing message, you confirm to a scammer that your number or address is genuine. Much of the time, these messages are sent to huge unverified list of numbers, so by verifying your number or address as active, you increase the likelihood of further attacks made against you.

Phishing SMS messages will also use recipient’s familiarity with normal practices against them. ‘Text STOP to 7XX7’ being the most common. By replying to this, you could be inadvertently giving the scammers the verification they are after.

How to Block Phishing Texts

Depending on your device there may be several ways to help block unknown numbers and filter out against spam or phishing messages.

For example, for iPhones: Settings > Messages > Filter Unknown Senders. Enabling this control will place messages from unknown senders into a separate list that can be viewed independently of existing contacts. As well as this, there is also the option to add contact details to a ‘Block List’.

There are also a range of apps and extensions available for most device types, which can be found on any of the major app stores. As always, when installing a new application, ensure the reliability and trustworthiness of the app prior to downloading or purchasing.

Reporting

Though avoidance is your best defence against all variety of scams, attacks and threats, if you have discovered something malicious and want to help others avoid it, or you have been victim to digital fraud, depending on where you are; there are several ways to report a phishing attack.

If you’re based in the UK, your best option is to go to GOV.UK and follow the appropriate links provided there (remember to check the address before clicking the link). For other territories, use a trusted search engine in your research.

With most UK networks you can also report the SMS as spam by forwarding the message and number to 7726 at no charge. You can also, if you feel it necessary, report the incident to the UK’s Information Commissioner’s Office (ICO) or the National Fraud and Cyber Crime Reporting Centre (Action Fraud).

Preventing Future Phishing Attacks

Protecting your information should be a top priority for everyone. By adequately safeguarding your information and knowing how to block phishing texts, you reduce your chances of all kinds of problems, namely fraud.

Before handing over your email address, phone number or anything else, you should understand who it is you are volunteering this information to, and how they intend to use it. We are frequently prompted to exchange details in all manner of transaction, and though there may be legal protections against this being passed on to other parties, this kind of nefarious behaviour happens all too often.

Avoid sharing any of your sensitive information publicly, in person or on the internet. In the case of emails, there are resources (such as HIBP) available to help inform you about data leaks, hacks and breaches in which your details may have been compromised. Occasionally checking a service such as this will hopefully give you time enough to change any relevant passwords or login credentials before your info can be exploited.

Robocalls and Vishing

Most people will be familiar with the automated spam calls that have become increasingly common in the last several years. Thankfully, often these robocalls are quite easy to detect and are more of an annoyance than a legitimate threat, though with the advent of more sophisticated AI systems and ‘deep fake’ technology, voice-based phishing is worth mentioning.

While over-the-phone scams have been around for almost as long as the phone, deep fake voice technology is new on the horizon. With the technology to potentially mimic familiar voices, the need for secondary verification is increasingly a necessity rather than a redundancy.

The world’s first case of deep fake vishing was reported last year, costing a German energy company almost £200,000. Mimicking the voice of an executive, an overseas manager was duped into making a transfer for what he believed to be a legitimate supplier account.

Though vishing is unlikely to be a common threat any time soon, as with email and SMS phishing, the same general rules apply to voice-based scams also, and any sensitive information requests, transfers etc. should be verified - ideally through two separate means of communication.